Hi,
I'm running the Elastic stack 8.1
I want to create a filter that has more than one condition and therefore avoid creating the same filter for all possibilities again and again. An example: I want the IF condition to apply when the field "method" contains one of these values: "reply", "reply[A]", "reply[AAAA]".
My last attempt looks like this:
if [method] == ["reply", "reply[A]", "reply[AAA]"] {
grok {...
but it doesn't seem to work.
In another filter, I would like to query wether the tag content is stored in a local text file, delimited for example by newline or comma. Is that possible, and if so, how?
Thanks for your help!
You can do this with a few or statements or the second option is using regex where if reply shows up anywhere in the value then it will match.
if [method] == "reply" or [method] == "reply[A]" or [method] == "reply[AAA]"
or
if [method] =~ /reply/
Thank you @aaron-nimocks !
I solved it in the meantime, found a similar approach:
if [method] =~ /^repl*/ {mutate { ...
More examples like the one you provided would be great in the documentation.
I am now trying to solve the "look for the string in a file" question.
My approach so far is to use "translate" and "csv", and add a tag or field when the string is found. But for sure there is a more elegant approach?